commit aa6055abfff5dd5dc5130a9c6f776f592f488bb2 Author: Nicolas Chauvet <kwizart(a)gmail.com&gt; Date: Fri Oct 18 14:15:15 2024 +0200 resync basessh on fedora roles/basessh/tasks/main.yml | 26 +++++++++++++------------- roles/basessh/templates/sshd_config | 34 ++++++++++++++++++++++++++++++---- 2 files changed, 43 insertions(+), 17 deletions(-) --- diff --git a/roles/basessh/tasks/main.yml b/roles/basessh/tasks/main.yml index bd4706b..e66a1d4 100644 --- a/roles/basessh/tasks/main.yml +++ b/roles/basessh/tasks/main.yml @@ -33,7 +33,7 @@ - config - sshd - selinux - when: ansible_distribution_major_version|int < 30 and ansible_distribution_major_version|int != 8 + when: ansible_distribution_major_version|int < 8 - name: make sure python3-libselinux is installed package: name=python3-libselinux state=present @@ -43,7 +43,7 @@ - config - sshd - selinux - when: ansible_distribution_major_version|int >= 30 or ansible_distribution_major_version|int == 8 + when: ansible_distribution_major_version|int >= 8 - name: check if sshd port is already known by selinux shell: semanage port -l | grep ssh @@ -72,10 +72,7 @@ - base - name: sshd_config - template: - src: sshd_config - dest: /etc/ssh/sshd_config - mode: 0600 + template: src=sshd_config dest=/etc/ssh/sshd_config mode=0600 notify: - restart sshd tags: @@ -112,7 +109,7 @@ - name: Set lists of certs to sign to empty set_fact: - certs_to_sign: "[]" + certs_to_sign: [] tags: - basessh - sshd_cert @@ -123,7 +120,7 @@ - name: Set list of certs to sign set_fact: - certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]" + certs_to_sign: "{{ certs_to_sign + [item.item.path] }}" with_items: "{{ssh_cert_files.results}}" when: not item.stat.exists tags: @@ -137,7 +134,7 @@ # Renew if last mod was more than 10 months ago - name: Get soon-to-expire certificates to sign set_fact: - certs_to_sign: "{{certs_to_sign}} + [ '{{item.item.path}}' ]" + certs_to_sign: "{{ certs_to_sign + [item.item.path] }}" with_items: "{{ssh_cert_files.results}}" when: "item.stat.exists and item.stat.mtime|int < (lookup('pipe', 'date +%s')|int - 25920000)" tags: @@ -160,7 +157,9 @@ - name: Create directory for storing pubkeys file: path="{{pubkeydir}}" - mode=0700 + owner=root + group=root + mode=0600 state=directory delegate_to: localhost run_once: true @@ -176,7 +175,7 @@ - name: Get public keys for certs to sign fetch: src="{{item}}.pub" dest="{{pubkeydir}}" - fail_on_missing=true + fail_on_missing=false with_items: "{{certs_to_sign}}" tags: - basessh @@ -188,7 +187,7 @@ - name: Set some extra signing facts set_fact: - sign_hostnames: "{{ssh_hostnames}} + ['{{inventory_hostname}}']" + sign_hostnames: "{{ssh_hostnames + [inventory_hostname]}}" sign_validity: "-1h:+52w" tags: - basessh @@ -200,9 +199,10 @@ # Currently, we use the epoch as serial. That's unique enough for now - name: Sign the certificates - shell: "ssh-keygen -s {{private}}/files/ssh/{{env}}_ca_host_key -I {{inventory_hostname}} -h -n {{ sign_hostnames|join(',') }} -V {{sign_validity}} -z `date +%s` {{pubkeydir}}/{{inventory_hostname}}{{item}}.pub" + shell: "ssh-keygen -s {{private}}/files/ssh/{{env}}_ca_host_key -t rsa-sha2-256 -I {{inventory_hostname}} -h -n {{ sign_hostnames|join(',') }} -V {{sign_validity}} -z `date +%s` {{pubkeydir}}/{{inventory_hostname}}{{item}}.pub" delegate_to: localhost with_items: "{{certs_to_sign}}" + check_mode: no tags: - basessh - sshd_cert diff --git a/roles/basessh/templates/sshd_config b/roles/basessh/templates/sshd_config index 7ec4a85..dd3a719 100644 --- a/roles/basessh/templates/sshd_config +++ b/roles/basessh/templates/sshd_config @@ -2,18 +2,44 @@ Protocol 2 Port {{ sshd_port }} -{% if ansible_distribution_major_version == "6" %} +{% if ansible_distribution_major_version|int == 6 %} KexAlgorithms diffie-hellman-group-exchange-sha256 MACs hmac-sha2-512,hmac-sha2-256 Ciphers aes256-ctr,aes192-ctr,aes128-ctr -{% else %} +{% elif ansible_distribution_major_version|int == 7 %} KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm(a)openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128(a)openssh.com +{% else %} +# This system is following system-wide crypto policy. The changes to +# crypto properties (Ciphers, MACs, ...) will not have any effect in +# this or following included files. To override some configuration option, +# write it before this block or include it before this file. +# Please, see manual pages for update-crypto-policies(8) and sshd_config(5). +# Also look in /usr/lib/systemd/system/sshd.service for how it is called. +{% endif %} + +{% if ansible_distribution_major_version|int >= 9 and ansible_distribution == 'RedHat' %} +# To modify the system-wide sshd configuration, create a *.conf file under +# /etc/ssh/sshd_config.d/ which will be automatically included below +Include /etc/ssh/sshd_config.d/*.conf +{% endif %} +{% if ansible_distribution_major_version|int >= 36 and ansible_distribution == 'Fedora' %} +# To modify the system-wide sshd configuration, create a *.conf file under +# /etc/ssh/sshd_config.d/ which will be automatically included below +Include /etc/ssh/sshd_config.d/*.conf {% endif %} + HostKey /etc/ssh/ssh_host_rsa_key +{% if not ansible_hostname.startswith(('pkgs01','pagure02')) %} +HostKey /etc/ssh/ssh_host_ed25519_key +{% endif %} + HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub +{% if not ansible_hostname.startswith(('pkgs01','pagure02')) %} +HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub +{% endif %} SyslogFacility AUTHPRIV LogLevel VERBOSE @@ -31,9 +57,9 @@ AllowAgentForwarding no X11Forwarding no PermitTunnel no -{% if ansible_distribution_major_version == "6" %} +{% if ansible_distribution_major_version|int == 6 %} UsePrivilegeSeparation yes -{% elif ansible_distribution_major_version == "7" %} +{% elif ansible_distribution_major_version|int == 7 %} UsePrivilegeSeparation sandbox {% endif %}